VM images lack an integrity check of the file system at boot time

Summary

VM appliance lack of root file system integrity check may allow an attacker with read/write access to the VM image (before it is booted up) to inject malicious implants in the image.

Affected Products

FortiOS VM all versions below 6.0.5 (CVE-2019-5587)

FortiManager VM version 6.2.0, 6.0.6 and below (CVE-2019-6695)

Solutions

Upgrade to FortiOS VM versions 6.0.5 or 6.2.0

Upgrade to FortiManager VM versions 6.0.7 or 6.2.1


Workarounds:


Verify the VM images' integrity by comparing the SHA-512 checksum with the checksum indicated on https://support.fortinet.com/ (downloads section) for that image.


Revision History:

05-17-2019 Initial Version
07-15-2019 CVE-2019-6695 disclosed
11-14-2019 CVE-2019-6695 6.0 branch fixed.


Acknowledgement

Fortinet is pleased to thank Bart Dopheide, Axians for reporting CVE-2019-5587 and independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting CVE-2019-6695 under responsible disclosure.